Configuring Cisco EzVPN on Cisco ASA and IOS Router

Cisco EzVPN – EASY VPN

A Cisco EZVPN client is basically hardware VPN client that is always ON. It helps simplify deployment of branch locations where their public IP is handed out by a DHCP server and constantly changes.

Today I’m setting up a Cisco EzVPN (Easy VPN) between a Cisco ASA5505 and a Cisco 800 Series IOS router in NEM – Network extension mode. The Cisco ASA will be acting as the VPN server and the Cisco router will be the client.

EzVPN NEM – Network Extension Mode

With NEM, you will be able to reach IPs on the client side of the tunnel from the server where was in CLIENT mode, all traffic is PAT from the client router, thus you will only be able to initiate traffic from the client side.

Below is the network diagram I’m using to display my setup. Devices on either end of the tunnel will be able to reach each other bidirectionally. ie. the desktop should be able to ping the laptop and the laptop should also be able to ping the desktop.

Cisco ASA EzVPN Server end configuration on ASA OS 8.3+

First define the client subnet you want to reach using a network object. This is the IP subnet range on the client side. You can then use this object to define your encryption traffic as shown below in the static NAT statement.

Setup a split tunnel access-list in order to define traffic that will be routed over from the client side. This access-list will be pushed out to the client upon establishment of the VPN tunnel.

access-list EZVPN_SPLIT_TUNNEL standard permit 10.0.0.0 255.240.0.0

Next you will need to define a group policy for the client. All these settings will be pushed out to the client upon connectivity to the VPN. Make note of the NEM enable option on the last line, as this will enable the Network Extension mode option. Also, you will need the password-storage enable option to allow the client username to be stored on the device. Otherwise you will be prompted to enter the username and password each time you establish the tunnel.